Date: Wed, 23 Jun 2010 14:01:14 -0400 From: Dan Rosenberg <dan.j.rosenberg@...il.com> To: oss-security@...ts.openwall.com Subject: CVE requests: LibTIFF In the past week, LibTIFF has released new versions upstream (3.9.3, and soon after, 3.9.4) that address a number of potentially security-relevant issues, some of which have not been assigned CVE identifiers. The following issues will crash (or worse) any application linked against LibTIFF in the trivial case of viewing a maliciously crafted image: 1. Out-of-bounds read in TIFFExtractData() may result in application crash (no reference, fixed upstream). Reported by Dan Rosenberg. 2. Out-of-bounds read in TIFFVGetField() may result in application crash (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145). The fix for this issue was combined with the fix for CVE-2010-2065, but it appears to be a separate issue. Reported by Sauli Pahlman. 3. Memory corruption in TIFFRGBAImageGet() due to buffer overflow (https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605). Reported by Sauli Pahlman. There is another series of issues that each lead to an application crash, reported at https://bugzilla.redhat.com/show_bug.cgi?id=583081 by Nicolae Ghimbovschi. However, these issues may require more user assistance, such as running specific conversion tools to process TIFF files, and as such may not need CVE identifiers. I thought I'd include them for completeness: 4. http://bugzilla.maptools.org/show_bug.cgi?id=2207 ("tif_getimage fails when flipping vertically on 64-bit platforms") 5. http://bugzilla.maptools.org/show_bug.cgi?id=2208 ("Bogus ReferenceBlackWhite values can crash libtiff") 6. http://bugzilla.maptools.org/show_bug.cgi?id=2209 ("Assertion failure in OJPEGPostDecode") - this one is an assertion failure and not a segfault, so it might not need a CVE. Finally, to avoid confusion, the following more serious issues were also fixed and have already received CVE identifiers: 7. Integer overflows leading to heap overflow in Fax3SetupState(). Reported by Kevin Finisterre (CVE-2010-1411). 8. Integer overflow in TIFFFillStrip() leading to heap overflow in TIFFReadRawStrip1(). Reported by Sauli Pahlman (CVE-2010-2065). 9. Stack overflow when processing SubjectDistance EXIF tags allows arbitrary code execution. Reported by Dan Rosenberg (CVE-2010-2067). Thanks, Dan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.